SEC506: Securing Linux/Unix

This course goes beyond securing Linux/Unix. It explains the reasons why, as well as how the attacker is able to penetrate the system. I recommend this for anyone who is involved in administering these systems.

Jeremy Kilgore, Bancfirst

I have been a Unix systems administrator for a couple of decades, but in SEC506 I learned something new every day.

Sheryl Coppenger, NCI Inc.

SEC506: Securing Linux/Unix provides in-depth coverage of Linux and Unix security issues that include specific configuration guidance and practical, real-world examples, tips, and tricks. We examine how to mitigate or eliminate general problems that apply to all Unix-like operating systems, including vulnerabilities in the password authentication system, file system, virtual memory system, and applications that commonly run on Linux and Unix.

The course will teach you the skills to use freely available tools to handle security issues, including SSH, AIDE, sudo, lsof, and many others. SANS' practical approach uses hands-on exercises every day to ensure that you will be to use these tools as soon as you return to work. We will also put these tools to work in a special section that covers simple forensic techniques for investigating compromised systems.

Course Syllabus

SEC506.1: Hardening Linux/Unix Systems, Part 1

Overview

This course tackles some of the most important techniques for protecting your Linux/Unix systems from external attacks. But it also covers what constitutes those attacks, so that you know what you are defending against. This is a full-disclosure course with in-class demos of actual exploits and hands-on exercises to experiment with various examples of malicious software, as well as different techniques for protecting Linux/Unix systems.

CPE/CMU Credits: 6

Topics

Memory Attacks and Overflows

Stack and Heap Overflows

Format String Attacks

Stack Protection

Vulnerability Minimization

Minimization vs. Patching

OS Minimization

Patching Strategies

Boot-Time Configuration

Reducing Services

systemd vs init

Email Configuration

Legacy Services

Encrypted Access

Session Hijacking Exploits

The Argument For Encryption

SSH Configuration

Host-Based Firewalls

IP Tables and Other Alternatives

Simple Single-Host Firewalls

Managing and Automating Rule Updates

SEC506.2: Hardening Linux/Unix Systems, Part 2

Overview

Continuing our exploration of Linux/Unix security issues, this course day focuses on local exploits and access control issues. What do attackers do once they gain access to your systems? How can you detect their presence? How do you protect against attackers with physical access to your systems? What can you do to protect against mistakes (or malicious activity) by your own users?

CPE/CMU Credits: 6

Topics

Rootkits and Malicious Software

Backdoors and Rootkits

Kernel Rootkits

chkrootkit and rkhunter

File Integrity Assessment

Overview of AIDE

Basic Configuration

Typical Usage

Physical Attacks and Defenses

Known Attacks

Single User Mode Security

Boot Loader Passwords

User Access Controls

Password Threats and Defenses

User Access Controls

Environment Settings

Root Access Control With Sudo

Features and Common Uses

Configuration

Known Issues and Work-Arounds

Warning Banners

Why?

Suggested Content

Implementation Issues

Kernel Tuning For Security

Network Tuning

System Resource Limits

Restricting Core Files

SEC506.3: Hardening Linux/Unix Systems, Part 3

Overview

Monitoring your systems is critical for maintaining a secure environment. This course day digs into the different logging and monitoring tools available in Linux/Unix, and looks at additional tools for creating a centralized monitoring infrastructure such as Syslog-NG. Along the way, the course introduces a number of useful SSH tips and tricks for automating tasks and tunneling different network protocols in a secure fashion.

CPE/CMU Credits: 6

Topics

Automating Tasks With SSH

Why and How

Public Key Authentication

ssh-agent and Agent Forwarding

AIDE Via SSH

Conceptual Overview

SSH Configuration

Tools and Scripts

Linux/Unix Logging Overview

Syslog Configuration

System Accounting

Process Accounting

Kernel-Level Auditing

SSH Tunneling

X11 Forwarding

TCP Forwarding

Reverse Tunneling Issues

Centralized Logging With Syslog-NG

Why You Care

Basic Configuration

Hints and Hacks for Tunneling Log Data

Log Analysis Tools and Strategies

SEC506.4: Linux Application Security, Part 1

Overview

This course examines common application security tools and techniques. The SCP-Only Shell will be presented as an example of using an application under chroot() restriction, and as a more secure alternative to file sharing protocols like anonymous FTP. The SELinux application whitelisting mechanism will be examined in depth. Tips for troubleshooting common SELinux problems will be covered and students will learn how to craft new SELinux policies from scratch for new and locally developed applications. Significant hands-on time will be provided for students to practice these concepts.

CPE/CMU Credits: 6

Topics

chroot() for Application Security

What is chroot()?

How Do You chroot()?

Known Security Issues

The SCP-Only Shell

What It Is and How It Works

Configuring chroot() directory

Automounter Hacks for Large-Scale Deployments

SELinux Basics

Overview of Functionality

Navigation and Command Interface

Troubleshooting Common Issues

SELinux and the Reference Policy

Tools and Prerequisites

Creating and Loading an Initial Policy

Testing and Refining Your Policy

Deploying Policy Files

SEC506.5: Linux Application Security, Part 2

Overview

This course is a full day of in-depth analysis on how to manage some of the most popular application level services securely on a Linux/Unix platform. We will tackle the practical issues involved with securing two of the most commonly used Internet servers on Linux and Unix: BIND and Apache. Beyond basic security configuration information, we will take an in-depth look at topics like DNSSEC and Web Application Firewalls with mod_security and the Core Rules.

CPE/CMU Credits: 6

Topics

BIND

Common Security Issues

Split-horizon DNS

Configuration for Security

Running BIND chroot()ed

DNSSEC

Implementation Issues

Generating Keys and Signing Zones

Key "Rollover"

Automation Tools

Apache

Secure Directory Configuration

Configuration/Installation Choices

User Authentication

SSL Setup

Web Application Firewalls with mod_security

Introduction to Common Configurations

Dependencies and Prerequisites

Core Rules

Installation and Debugging

SEC506.6: Digital Forensics for Linux/Unix

Overview

This hands-on course is designed to be an information-rich introduction to basic forensic principals and techniques for investigating compromised Linux and Unix systems. At a high level, it introduces the critical forensic concepts and tools that every administrator should know and provides a real-world compromise for students to investigate using the tools and strategies discussed in class.

CPE/CMU Credits: 6

Topics

Tools Throughout

The Sleuth Kit

Foremost

chkrootkit

lsof and Other Critical OS Commands

Forensic Preparation and Best Practices

Basic Forensic Principles

Importance of Policy

Forensic Infrastructure

Building a Desktop Analysis Laboratory

Incident Response and Evidence Acquisition

Incident Response Process

Vital Investigation Tools

Taking a Live System Snapshot

Creating Bit Images

Media Analysis

File System Basics

MAC Times and Timeline Analysis

Recovering Deleted Files

Searching Unallocated Space

String Searches

Incident Reporting

Critical Elements of a Report

Lessons Learned

Calculating Costs

Additional Information

Laptop Required

Students need to bring a properly configured laptop to class EVERY DAY. Throughout the course we will be using a number of different VMware images that will be provided to students on a USB drive (which is yours to keep after the class is over). So it is important that the laptop you bring to class will let you read USB devices, and have enough disk space, CPU power, and memory to unpack the VMware images and run them.

You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products. It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.

We recommend the following minimum hardware:

2GHz 64-bit I5 CPU or better

At least 8 GB of RAM

At least 50 GB of free disk space (free disk space is CRITICAL)

Working, unlocked USB ports

Operating System

Since we will be using VMware, you do not have to have Unix/Linux installed natively on your laptop (though you are welcome to do so if you like). Whatever operating system you choose, it is your responsibility to ensure that VMware is installed and working BEFORE arriving in class.

VMware Product Choice

The VMware images provided in class should work with the VMware Workstation Player (free from the VMware site) or Server products, as well as VMware Workstation. Students have also used VMware Fusion on MacOS successfully.

Anything Can Happen: Be Prepared

It is your responsibility to fully back up your system prior to class.

Questions?

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Understand attacker rootkits and how to detect them with AIDE and rkhunter/chkrootkit.

Press & Reviews

"This course goes beyond securing Linux/Unix. It explains the reasons why, as well as how the attacker is able to penetrate the system. I recommend this for anyone who is involved in administering these systems." - Jeremy Kilgore, Bancfirst

"I have been a Unix systems administrator for a couple of decades, but in SEC506 I learned something new every day." - Sheryl Coppenger, NCI Inc.

"It sparked my interest to get a deeper understanding of how to secure my systems at work and at home. The instructor's experience as a forensics examiner is of great interest and a definite plus. Great experience!" - Tim Horne, Honeywell Aerospace

Author Statement

A wise man once said, "How are you going to learn anything if you know everything already?" And yet there seems to be a quiet arrogance in the Unix community that we have figured out all of our security problems, as if to say, "Been there, done that." All I can say is that what keeps me going in the Unix field, and the security industry in particular, is that there is always something new to learn, discover, or invent. In 20 plus years on the job, what I have learned is how much more there is that I can learn. I think this is also true for the students in my courses. I regularly get comments back from students who say things like, "I have been using Unix for 20 years, and I still learned a lot in this class." That is really rewarding.

- Hal Pomeranz

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.